The roadwarriors carol and dave set up a connection each to gateway moon, both ends doing certificate-based EAP-TLS authentication only. In a next step the EAP-TNC protocol is used within the EAP-TTLS tunnel to determine the health of carol and dave via the IF-TNCCS 2.0 client-server interface compliant with RFC 5793 PB-TNC.

carol passes the health test and dave fails. Based on these measurements the clients are connected by gateway moon to the "rw-allow" and "rw-isolate" subnets, respectively.